RE: [pfSense Support] Problem with ipsec tunnel

[John Cianfarani]

Ah it was late last night misread part of that, no more 3am replies. :P I though when you said behind DSL router you ment a DSL modem and the internet ip was on the pfsense.   On the cisco’s are you forwarding the appropriate ports (protocol 50/51 ESP/AH, and UDP 500) to the inside pfsense boxes? In any of your rules are you allowing udp isakmp and esp to the host? They might even have a ipsec passthrough option to do  this.   Sorry for the confusion John From: Tommaso Di Donato [mailto:[EMAIL PROTECTED] Sent: Thursday, March 02, 2006 3:25 AM To: support@pfsense.com Subject: Re: [pfSense Support] Problem with ipsec tunnel     On 3/2/06, John Cianfarani <[EMAIL PROTECTED]> wrote: 1. Even though you need to NAT for your inside hosts IPSec is listening on the WAN interface.   I'm sorry... I cannot understand the point.. PC -------- pfSense -------- Cisco 827 ----------internet Here I have 2 nat: pfsense is natting my pc, and CIsco is natting pfsense. Of course, in pfsense I can see racoon listening on wan interface (only on 500/udp, ton on 4500/udp)      2. Not sure but my guess would be no (without a lot of easy configuration changes) You mean you guess there is no port 4500?    One think that was reversed in previous builds (not sure if is changed in 2-20) is the "Prefer old IPSec Sa" checkbox under System-Advnced.  Bill found that in the code pfsense already tries old sa's first, so when you check this box it will make it prefer NEW Sa's.  That was the heart of a lot of my Ipsec troubles. mmh, I tried both  ways... no differences...   Do you have the WAN as the local endpoint and LAN Subnet as the Local subnet on each side? As I believe there still is an issue with ipsec-tools if you are trying to do host to host setup. (/32s) Yes I have; I'm trying net-to-net. I'm so sorry I do not have my box  here in order to send logs...   What are you using as your local identified IP or FQDN? I tried both. Obviously, changing  psk accordingly...   Once you get a session up can you do a "ping –c 5 –S <your pfsense lan ip> <remote pfsense lan ip>" from the Diag -> Command Prompt tab? Ok, I'll do it.. For now, I am testing pinging from a pc on the lan side. I think this night I'll do some other test, using as second endpoint a linux box (i am more familiar with linux ipsec implementation). Ah, by the way.. when I see a SPD or  a SA established, sould something be wisible with netstat -rn? Thank you again...   Thanks John From: Tommaso Di Donato [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 2:38 AM To: support@pfsense.com Subject: [pfSense Support] Problem with ipsec tunnel   Hi guys! Yesterday I tried to setup a vpn tunnel between me and a friend. The we had mainly 2 problems: first, we both have dynamic IP (but this could be solved for example looking at the ip given by the provider, and setting upt the tunnel with that ip.. . Second, we both are behind a DLS router, so pfsense boxes arte both NATed.. I tried to estabilish a tunnel in many way: net-to-net, net-to-mobile (following the marvellous tutorial), using dyndns record, etc. But I had problems.. ipsec SA establishes, SDP also, but at the end I cannot have traffic passing. NO traffic dropped un firewall logs.... On the routers, we redirected only port 500/UDP from the router to the pfsense boxes... So, my question are: 1) is it possible to establish such a tunnel (2 NATed endpoint, in agressive mode, PSK)? In early ipsec-over-udp implementation, I can remember there were some problems in such a configuration 2) if it is possible, have I to redirect other ports? In linux ipsec implementation, when I use NAT-T I had to rdr port 4500/upd, but on my pfsense box I cannot see such a port open.... 3) ..and in the end.. am I missing something? I do not have my box with me now, but I can recall the settings very well.. I'm using 02-20 SNAPSHOT. Thank you, guys.. very much. Tom